Overview

overview

10

Static

static

24dbecb4c8...1a.exe

windows7-x64

10

24dbecb4c8...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe

  • Size

    412KB

  • MD5

    4aae92d39c5aca5fba29bf92cf6b84d2

  • SHA1

    f023ad70ebc5486f479c4f100fccb42e6c79909a

  • SHA256

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

  • SHA512

    8e923140617910155b30821e50893f8b9bdbb97a1efc6cc18f4f7afb8d3a187662874f83963f345477ee9a769f29dc3670d350ac6d6e04468c8bc510acc289bd

  • SSDEEP

    12288:g7TtcP/wjj/SkZW7zy7nzo1NmN8a4jpxE/P:g7RcP/wvqkZNonmN8a4jpxK

Score
10/10
globeimposterevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���3C 2C BA 89 E8 28 A8 B3 7B 82 79 34 53 67 CE C0 9F 99 1F 49 A7 E1 2F 78 A6 B1 15 5C 35 67 DE 99 3A C9 49 4D 44 77 EE C9 46 96 15 03 32 5D D3 4E 9B 65 46 CE 16 AA 65 79 66 FF B3 4D 65 63 24 FC 0A BF 52 1E 52 CD C2 5A 81 2C F3 FC 8A 32 DC 53 F4 62 41 BB E9 9F 12 DB 8A 01 0B 3D 9F 4E DD 85 EF 14 E3 D8 DC AF 46 DF 2A 50 FF 43 B3 97 E9 38 54 37 D3 2F AE E2 34 E4 3C 11 4E 82 97 E3 C7 32 C8 5A 87 3C 0D 8A 80 11 4F E0 F0 4B 7B B3 D1 76 38 A1 A7 F7 09 6B 5E 3A 1B 84 BC 15 F0 1D C9 6A 84 7A 59 61 AE D6 73 83 EF 14 5A 2E 1D 9F F2 BE EF 33 C3 76 18 6B 62 E6 8B C5 32 8F 02 75 D2 8A EC 8E 26 AC EE 41 BF F0 FA 57 EA 6C F3 1E 8A 51 65 B2 FB 5A BA FB E4 B2 59 0F 20 90 6B 7E 6C 8C 07 52 BD 78 9B E5 63 48 A8 50 BF 80 A3 1E 6D 82 00 61 7F 1B 7F FC 3B 2B 0E 83 BC 56 35 C2 2A D1
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Nirsoft 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 36 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe
    "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1336
    • C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe" /SpecialRun 4101d8 1584
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: RenamesItself
      PID:1328
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\read-me.txt
    1⤵
      PID:692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      3cc5a6a59640b7c5abe4675ae23ce25d

      SHA1

      177325af28fe2aa8d0fc53c584a3f9e31b160f7c

      SHA256

      9fb5766a1c6bc89a7cb21246a6540e9bee9eca1d53037b34b1584ee091f6b6d9

      SHA512

      67710eca09cf6d5eacdfb2ba37088505eadcc05ce37c21542bce39bc12648fec37d4c02e4bb4d52432c0cca7c058b0805eb98d1aa7a1725a848483735db04258

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      3cc5a6a59640b7c5abe4675ae23ce25d

      SHA1

      177325af28fe2aa8d0fc53c584a3f9e31b160f7c

      SHA256

      9fb5766a1c6bc89a7cb21246a6540e9bee9eca1d53037b34b1584ee091f6b6d9

      SHA512

      67710eca09cf6d5eacdfb2ba37088505eadcc05ce37c21542bce39bc12648fec37d4c02e4bb4d52432c0cca7c058b0805eb98d1aa7a1725a848483735db04258

      Download Submit

    • C:\Users\Public\Desktop\read-me.txt
      Filesize

      1KB

      MD5

      d1962dc833c8ec2786dffd3d6c3a771d

      SHA1

      d580e9399308709f284d602f70ee2dceac96c8b1

      SHA256

      3cdd6a42106212df86226e8f237c714dd9d95c1c643f85c09b0868deaf599e71

      SHA512

      d498e9a1021923b420eab8e709c26fdd1d282508053598eaeb29111a9a1d951907f4e746e510745511755a9ccf2be992c282bcc4b2ee55ef20cf02bb2228238a

      Download Submit

    • C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe
      Filesize

      412KB

      MD5

      7b8224b20a7c50b5d45aa2a94014820d

      SHA1

      6d230c03fafbf5016b64b3e7611193924d24ff6d

      SHA256

      48d17351384e547570887864e00e09cbce5598ffab59b08666c8cf8e322adc50

      SHA512

      c1beb5192cdaa0656be709fc4d9208ac44c8c68f1ca729d3b00c96a84084291cbe590b86c350f102c8647ffb4ba06ec32d08b92b9f42cea23c0bd4ee60894f9e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\79b2790f-b3e1-4fd6-ac06-8bfaa7e3c8fd\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • memory/692-92-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1168-76-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1168-79-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1328-89-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1328-88-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1328-91-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1328-84-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1336-75-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1336-77-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1500-78-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1500-74-0x000000006F800000-0x000000006FDAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1516-54-0x00000000008F0000-0x000000000095E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/1516-55-0x0000000075841000-0x0000000075843000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2008-83-0x000000006FA20000-0x000000006FFCB000-memory.dmp

      Filesize

      5.7MB

      Download